Monday, May 16, 2011

Android zsone malware

Hi !

Recently a new malware called "zsone" has been published on the official android market.

It's a good exercice to use Androguard on this malware, and to test new features.

So, we have a direct method in androlyze.py to open an apk and to export interesting features (like names in the python namespace, a correct display for functions ..) :


This time, there is no embedded exploit, so we can go deeper by getting the permissions :


So, we have a possible usage of the SMS by using RECEIVE/SEND_SMS permissions. To receive an SMS, we must have a correct receiver in the entry points :


Moreover, it's possible to know where a specific permission is used in the code. To do that we have an automatic tool which parse the documentation of the android API, and extract methods when a specific permission is written. But all methods in the API haven't a correct permission associated, so we must do the list by hand (if you are interested you can submit new permission) :


The function "sendSms" uses the sendTextMessage API to send an sms. But we must know where this method is called before :


Moreover, the "sendSMS" method sends a message (921X1) to the number 1066185829 if a specific value is setup :


Finally, the method "showImg" calls the sendSMS if the value has an index of 5 :

In the "onReceive" method, there is a filter (on specific numbers) to hide sms to the user :)

See ya quickly !

No comments:

Post a Comment